Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Incorrect parsing of YARA Indicators using 'vt' module #9583

Open
rreindeer opened this issue Jan 14, 2025 · 0 comments
Open

Incorrect parsing of YARA Indicators using 'vt' module #9583

rreindeer opened this issue Jan 14, 2025 · 0 comments
Labels
bug use for describing something not working as expected needs triage use to identify issue needing triage from Filigran Product team

Comments

@rreindeer
Copy link

rreindeer commented Jan 14, 2025
edited
Loading

Description

The analyst workbench validator incorrectly parses Indicators containing YARA rules that import the 'vt' module.

Environment

  1. OS (where OpenCTI server runs): Debian 6.1
  2. OpenCTI version: OpenCTI 6.4.6
  3. OpenCTI client: frontend
  4. Other environment details:

Reproducible Steps

  1. Upload file 'yara.json' (yara.json) through the 'Data > Import' interface
  2. Launch an import of the uploaded file
  3. Navigate through the new workbench and validate it

Expected Output

Both indicators of pattern-type 'yara' within the bundle in 'yara.json' should be added as Indicators on the platform after the workbench validation.

Actual Output

The 'Test_good' Indicator is added, but the 'Test_bad', which contains the 'vt' module import, isn't. The platform logs an error when importing 'Test_bad' stating that the rule is not correctly formatted.

Additional information

Log:
opencti_1 | {"category":"APP","errorData":{"error":"{'name': 'FUNCTIONAL_ERROR', 'error_message': 'Indicator of type yara is not correctly formatted.'}","source":"{\"type\": \"indicator\", \"spec_version\": \"2.1\", \"id\": \"indicator--42dd3fad-3ea3-4696-aef0-c6f2fd72c0e5\", \"created\": \"2025-01-13T11:52:59.638138Z\", \"modified\": \"2025-01-13T11:52:59.638138Z\", \"name\": \"Test_bad\", \"indicator_types\": [\"malicious-activity\"], \"pattern\": \"import \\\"vt\\\"\\nrule BackoffROM \\n { \\n \\tmeta: \\n \\t\\tauthor = \\\"Alienvault Labs\\\" \\n \\t\\treference = \\\"http://blog.fortinet.com/post/rom-a-new-version-of-the-backoff-pos-malware\\\" \\n \\tstrings: \\n \\t\\t$mz = {4d 5a} \\n \\t\\t$mutex = \\\"aMD6qt7lWb1N3TNBSe4N\\\" \\n \\t\\t$httpparam1 = \\\"data=%s\\\" \\n \\t\\t$httpparam2 = \\\"oprat=%d\\\" \\n \\t\\t$httpparam3 = \\\"uid=%s\\\" \\n \\t\\t$httpparam4 = \\\"uinfo=%s\\\" \\n \\t\\t$httpparam5 = \\\"win=%d\\\" \\n \\t\\t$httpparam6 = \\\"grup=%s\\\" \\n \\t\\t$httpparam7 = \\\"vers=%s\\\" \\n \\tcondition: \\n \\t\\t($mz at 0) and ($mutex or all of ($httpparam*)) \\n }\", \"pattern_type\": \"yara\", \"valid_from\": \"2025-01-13T11:52:59.638138Z\", \"nb_deps\": 1, \"x_opencti_score\": null, \"x_opencti_detection\": null, \"x_opencti_create_observables\": null, \"x_opencti_stix_ids\": null, \"x_opencti_granted_refs\": null, \"x_opencti_workflow_id\": null}"},"level":"error","message":"{'name': 'FUNCTIONAL_ERROR', 'error_message': 'Indicator of type yara is not correctly formatted.'}","source":"backend","timestamp":"2025-01-14T08:44:24.391Z","version":"6.4.6"}

Screenshots (optional)

N/A
@rreindeer rreindeer added bug use for describing something not working as expected needs triage use to identify issue needing triage from Filigran Product team labels Jan 14, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug use for describing something not working as expected needs triage use to identify issue needing triage from Filigran Product team
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@rreindeer